Wednesday, June 10, 2015

The Investment Management Company, the Former Employee and Unauthorized Access -- UPDATE

Update:  On June 24, 2015, David Shen, the man whose indictment was the focus of the opinion examined below, was acquitted of all the charges against him.  You can read a news story about his acquittal in the article you can find here. The story notes that prior to the trial, the prosecutors offered to drop two charges against Shen he he would plead guilty to a misdemeanor, for which he would be put on probation.  He refused, went to trial and was acquitted, which only underlines the fact that a charge is just that. The person charged is presumed innocent until and unless the prosecution proves guilty beyond a reasonable doubt. 

This post examines an opinion recently issued by a U.S.District Court Judge who sits in the U.S. District Court for the Eastern District of Missouri:  U.S. v. Shen, 2015 WL 3417471 (2015).  The District Court Judge begins his opinion by explaining that
[p]ursuant to 28 U.S. Code § 636(b), the Court referred all pretrial matters in this case to United States Magistrate Judge Nannette A. Baker for determination and recommended disposition, where appropriate.

On April 21, 2015, Judge Baker issued a Report and Recommendation with respect to the motion filed by defendant David Shen to dismiss Count I of the indictment. Thereafter, the defendant filed timely objections to the recommendation that his motion be denied.
U.S. v. Shen, supra.
As Wikipedia explains, “[i]n In the United States federal courts, magistrate judges are appointed to assist United States district court judges in the performance of their duties. Magistrate judges are authorized by 28 U.S. Code § 631 et seq. 
Here, the District Court Judge went on to explain that
[p]ursuant to 28 U.S. Code § 636(b)(1), the Court is required to make a de novo determination of the specified proposed findings and recommendations to which objection is made.

Here, the defendant states that he objects to the Report and Recommendation `in their entirety in law and fact and pursuant to 28 U.S. Code 636(b)(1) with respect to each and all said recommendations, singularly and collectively, of the United States Magistrate Judge's Report and Recommendations.’

The defendant does not identify a specific portion of the Report and Recommendation that he objects to, nor does he state any basis for his objections. The defendant's general, non-specific objections are insufficient to trigger de novo review under § 636(b)(1).
U.S. v. Shen, supra.
In her Report and Recommendation, the Magistrate Judge began by explaining that
David Shen was charged by indictment with one count of unauthorized access of a computer and one count of attempted unauthorized access of a computer in violation of the Computer Fraud and Abuse Act (CFAA), 18 U.S. Code § 1030. . . .

Defendant was also charged with a third count for fraud in violation of 18 U.S. Code § 1343 and 2. On February 23, 2015, Defendant filed a Motion to Dismiss Counts I and II of the Indictment. . . . The Government filed its Response on March 2, 2015. . . .

On March 25, 2015, the undersigned held a hearing. At the hearing, counsel for Defendant withdrew his motion as to Count II. Having considered the briefs of the parties and argument by counsel at the hearing, the undersigned finds that Defendant's motion to dismiss Count I should be denied.
U.S. v. Shen, supra.  The Department of Justice press release you can find here provides a little more information about the charges.  And the news stories you can find here and here also provide information about the conduct that led to the charges.
The Magistrate Judge began her analysis of Shen’s argument as to why Counts I and II should be dismissed by explaining that
[a]n indictment is sufficient if: (1) it contains all of the essential elements of the offense charged; (2) it fairly informs the defendant of the charges against which he must defend; and (3) it alleges sufficient information to allow a defendant to plead a conviction or acquittal as a bar to a subsequent prosecution. U.S. v. Fleming, 8 F.3d 1264 (U.S. Court of Appeals for the 8th Circuit 1993). `An indictment is normally sufficient if its language tracks the statutory language.’ U.S. v. Sewell, 513 F.3d 820 (U.S. Court of Appeals for the 8th Circuit 2008).

An indictment is insufficient if it is `so defective that it cannot be said, by any reasonable construction, to charge the offense for which the defendant was convicted.’  U.S. v. Fleming, supra. When a defendant moves to dismiss a count for failure to state an offense, the court takes the allegations in the indictment as true and should refrain from considering evidence outside the indictment. U.S. v. Sampson, 371 U.S. 75 (1962). . . .
U.S. v. Shen, supra.  
She then went on to explain that
Count I of the indictment charges Shen with unauthorized access of a computer in violation of § 1030(a)(2)(C) of the [Computer Fraud and Abuse Act]. Section 1030(a)(2)(C) provides in relevant part: `Whoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer . . . shall be punished.’ Through his employment as a risk manager with Washington University, Shen gained access to password-protected third party service providers described in the indictment as Service Provider A and Service Provider B.

On October 6, 2011, Shen resigned from his position in lieu of being terminated. Count I charges in relevant part:

`On or about October 28, 2011, in the Eastern District of Missouri and elsewhere, DAVID SHEN, the defendant herein, intentionally accessed a protected computer used in interstate and foreign commerce, without authorization and exceeding any authorized access he had previously been given, and thereby obtained information from that protected computer . . . to wit, the defendant used his personal computer to access without authorization, and in excess of any authorized access, a computer system associated with Service Provider A and thereby downloaded a Risk Report for Washington University HF Portfolio for the month of August 2011.’
U.S. v. Shen, supra.  
The Magistrate Judge also noted that, challenging the indictment, Shen argued that
Count I should be dismissed for failure to state an offense because he was authorized to access Service Provider A, either because he used his personal computer or because his password still worked. The undersigned disagrees.
U.S. v. Shen, supra.  
She went on to explain why she disagreed:
The language of Count I tracks the language of [18 U.S. Code] § 1030(a)(2)(C) and the Eighth Circuit Model Jury Instruction.  Shen's arguments are essentially challenges to the sufficiency of the evidence, which cannot be decided at this stage. U.S. v. Ferro, 252 F.3d 964 (U.S. Court of Appeals for the 8th Circuit 2001); U.S. v. Perez, 575 F.3d 164 (U.S. Court of Appeals for the 2d Circuit 2009).

The indictment reflects that Shen was given access to Service Provider A in connection with his employment and that he accessed Service Provider A after he had resigned. There is significant authority that such access is unauthorized under § 1030(a)(2)(C). See, e.g., U.S. v. Steele,  2014 WL 7331679 (U.S. Court of Appeals for the 4th Circuit 2014). . . .

Furthermore, the fact that Shen used his personal computer does not foreclose a finding of unauthorized access. Count I specifically alleges that Shen accessed `without authorization, and in excess of any authorized access, a computer system associated with Service Provider A.’ While the Government will have to show that Service Provider A's computer system meets the statutory definition of a `computer,’ nothing more is required at this stage. . . .
U.S. v. Shen, supra (emphasis in the original).
In the paragraph above, the Magistrate Judge explains that the charging language in Count I of the indictment tracked the language of the U.S. Court of Appeals for the Eighth Circuit’s Model Jury Instruction, i.e., the form instruction to be given to a jury when someone is being prosecuted for this crime.  The instruction at issue provides as follows:
The crime of computer fraud to obtain confidential information . . . has two essential elements, which are:

One, the defendant intentionally accessed a computer without authorization or exceeding authorized access, and

Two, the defendant obtained information.
U.S. v. Shen, supra (quoting Model Instruction 6.18.1030B).
She goes on to explain that Shen
additionally argues that § 1030(a)(2)(C) is impermissibly vague as applied to him. He essentially argues that his authorization hinges on an agreement between his employer and Service Provider A which he never saw and therefore he had no notice that his conduct was criminal. The argument fails.

There is some disagreement as to whether an employee who properly accesses a computer and then misuses the information can be convicted under § 1030(a)(2)(C). See U.S. v. Nosal, 676 F.3d 854 (U.S. Court of Appeals for the 9th Circuit 2012). However, courts are clear that employees who gain access to a computer through their employment lose authorization once they have resigned or been terminated.  See, e.g., U.S. v. Steele, 2014 WL 7331679 (U.S. Court of Appeals for the 4th Circuit 2014). . . .
U.S. v. Shen, supra.  
For all these reasons, the Magistrate Judge recommended that Shen’s motion to dismiss Count I be denied.  U.S. v. Shen, supra.  
The District Court Judge then found that
that the magistrate judge did not err in her analysis of the law applicable to the defendant's motion. Accordingly, for the reasons discussed above,

IT IS HEREBY ORDERED that the Report and Recommendation of United States Magistrate Judge Nannette A. Baker is sustained, adopted, and incorporated herein.
U.S. v. Shen, supra (emphasis in the original).  So, Shen lost on his motion to dismiss Count I of the indictment. 

No comments: